Cobalt Strike has released version 4.11 with significant improvements to its evasion capabilities, making the popular red team tool more resilient against modern security solutions.
The update introduces a novel Sleepmask, new process injection techniques, enhanced obfuscation options, and stealthier communication methods – all designed to operate effectively without requiring extensive customization.
Major Evasion Enhancements
The cornerstone of this release is a comprehensive overhaul of Cobalt Strike‘s out-of-the-box evasion options.
The update introduces a novel Sleepmask that automatically obfuscates Beacon, its heap allocations, and itself, making it robust against static signatures at runtime without additional configuration.
A standout addition is the new ObfSetThreadContext process injection technique, which is now the default method used by Beacon.
This technique can evade detection tools that identify injected threads by looking for start addresses not backed by Portable Executable images on disk.
This code snippet demonstrates how ObfSetThreadContext can be configured to set all new threads to spawn at a legitimate exported ntdll function, effectively masking the injection.
Enhanced Payload Protection
Cobalt Strike 4.11 has ported Beacon’s default reflective loader to a new prepend/sRDI style loader with several evasive features, including EAF bypass options and support for indirect syscalls.
The new transform-obfuscate feature allows for the automatic application of complex obfuscation routines to Beacon payloads. For instance:
This transforms a Beacon payload by compressing it, RC4 encrypting it with a random 64-bit key, XOR encryption with a random 32-bit key, and finally base64 encoding it.
Another significant feature is the introduction of asynchronous Beacon Object Files (BOFs) via the new Postex DLL, async-execute.dll.
This allows operators to run multiple BOFs simultaneously within the same process while Beacon is sleeping, operating in either single-shot or background mode.
For stealthier network communications, Cobalt Strike 4.11 introduces a DNS over HTTPS (DoH) Beacon, providing an additional covert egress option.
By default, Beacon uses mozilla.cloudflare-dns.com and cloudflare-dns.com as its DoH servers, but this can be customized via Malleable C2:
The release also includes several usability enhancements, such as command line variables corresponding to Beacon console metadata, reorganized help commands, and GUI improvements, including customizable console buffer size and text wrapping options.
By default, Beacon now enables sleepmask, cleanup, and XOR obfuscation, making it resistant to static signatures throughout the attack chain without requiring manual configuration.
These updates collectively represent a significant advancement for red teams seeking to emulate sophisticated threat actors while remaining undetected by modern security solutions.
The focus on out-of-the-box functionality significantly reduces the customization burden previously required for effective operations with Cobalt Strike.
Are you from SOC/DFIR Teams? – Analyse Malware Incidents & get live Access with ANY.RUN -> Start Now for Free.
